Incident Confidence Level

1. A computer-implemented method comprising: receiving, by an analysis platform, a resolution status for a plurality of insights generated by the analysis platform, the resolution status indicating if each insight was a true positive or a false positive; generating a global training set comprising the resolution status for the plurality of insights; generating a local training set comprising the resolution status for a subset of the plurality of insights associated with a first user; training, using the global training set, a machine-learning program to obtain a global model; training, using the local training set, a machine-learning program to obtain a local model for the first user; detecting, by the analysis platform, a new insight for the first user; obtaining, using the global model, a global score for the new insight; obtaining, using the local model, a local score for the new insight; calculating a confidence score for the new insight based on the global score and the local score, the confidence score being an indication of an estimated severity of the new insight; and causing presentation of the new insight and the confidence score on a display.

2. The method as recited in claim 1, wherein the global training set comprises values for a plurality of features, the plurality of features comprising an indicator if the insight was a true positive or a false positive, an identifier of a product associated with the insight, an entity associated with the insight, at least one mitre tactic, and a set of rules that triggered the insight.

3. The method as recited in claim 1, wherein the insight is an indication of a security incident based on detection rules.

4. The method as recited in claim 1, wherein the insight is generated when a combination of signals is identified, each signal being generated when a corresponding detection rule is triggered.

5. The method as recited in claim 1, wherein calculating the confidence score comprises: adding the global score factored by a mixing parameter with the local score factored by one minus the mixing parameter.

6. The method as recited in claim 1, wherein an input to the global model includes values for a plurality of features associated with the insight and an output includes the global score.

7. The method as recited in claim 1, wherein calculating the confidence score comprises: making the confidence score equal to the global score when a number of entries in the local training set is below a predetermined threshold.

8. The method as recited in claim 1, wherein generating the global training set comprises: discarding from the global training set entries including previously unseen vendor rules.

9. The method as recited in claim 1, further comprising: reserving a subset of the plurality of insights for checking global model drift over time.

10. The method as recited in claim 1, further comprising: reserving a subset of the plurality of insights for validating the global model.

11. A system comprising: a memory comprising instructions; and one or more computer processors, wherein the instructions, when executed by the one or more computer processors, cause the system to perform operations comprising: receiving, by an analysis platform, a resolution status for a plurality of insights generated by the analysis platform, the resolution status indicating if each insight was a true positive or a false positive; generating a global training set comprising the resolution status for the plurality of insights; generating a local training set comprising the resolution status for a subset of the plurality of insights associated with a first user; training, using the global training set, a machine-learning program to obtain a global model; training, using the local training set, a machine-learning program to obtain a local model for the first user; detecting, by the analysis platform, a new insight for the first user; obtaining, using the global model, a global score for the new insight; obtaining, using the local model, a local score for the new insight; calculating a confidence score for the new insight based on the global score and the local score, the confidence score being an indication of an estimated severity of the new insight; and causing presentation of the new insight and the confidence score on a display.

12. The system as recited in claim 11, wherein the global training set comprises values for a plurality of features, the plurality of features comprising an indicator if the insight was a true positive or a false positive, an identifier of a product associated with the insight, an entity associated with the insight, at least one mitre tactic, and a set of rules that triggered the insight.

13. The system as recited in claim 11, wherein the insight is an indication of a security incident based on detection rules.

14. The system as recited in claim 11, wherein the insight is generated when a combination of signals is identified, each signal being generated when a corresponding detection rule is triggered.

15. The system as recited in claim 11, wherein calculating the confidence score comprises: adding the global score factored by a mixing parameter with the local score factored by one minus the mixing parameter.

16. A tangible machine-readable storage medium including instructions that, when executed by a machine, cause the machine to perform operations comprising: receiving, by an analysis platform, a resolution status for a plurality of insights generated by the analysis platform, the resolution status indicating if each insight was a true positive or a false positive; generating a global training set comprising the resolution status for the plurality of insights; generating a local training set comprising the resolution status for a subset of the plurality of insights associated with a first user; training, using the global training set, a machine-learning program to obtain a global model; training, using the local training set, a machine-learning program to obtain a local model for the first user; detecting, by the analysis platform, a new insight for the first user; obtaining, using the global model, a global score for the new insight; obtaining, using the local model, a local score for the new insight; calculating a confidence score for the new insight based on the global score and the local score, the confidence score being an indication of an estimated severity of the new insight; and causing presentation of the new insight and the confidence score on a display.

17. The tangible machine-readable storage medium as recited in claim 16, wherein the global training set comprises values for a plurality of features, the plurality of features comprising an indicator if the insight was a true positive or a false positive, an identifier of a product associated with the insight, an entity associated with the insight, at least one mitre tactic, and a set of rules that triggered the insight.

18. The tangible machine-readable storage medium as recited in claim 16, wherein the insight is an indication of a security incident based on detection rules.

19. The tangible machine-readable storage medium as recited in claim 16, wherein the insight is generated when a combination of signals is identified, each signal being generated when a corresponding detection rule is triggered.

20. The tangible machine-readable storage medium as recited in claim 16, wherein calculating the confidence score comprises: adding the global score factored by a mixing parameter with the local score factored by one minus the mixing parameter.